Investigate ASLR re-randomization being disabled for children
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Fix Released
|
Medium
|
Nick Rosbrook | ||
Noble |
Fix Committed
|
Medium
|
Unassigned |
Bug Description
[Impact]
The systemd-
This was discovered as part of the CVE-2024-6387 discovery by Qualys, and is mentioned in the disclosure itself:
Side note: we discovered that Ubuntu 24.04 does not re-randomize the
ASLR of its sshd children (it is randomized only once, at boot time); we
tracked this down to the patch below, which turns off sshd's rexec_flag.
This is generally a bad idea, but in the particular case of this signal
handler race condition, it prevents sshd from being exploitable: the
syslog() inside the SIGALRM handler does not call any of the malloc
functions, because it is never the very first call to syslog().
This is also mentioned in the release notes of OpenSSH 9.8:
Exploitation on non-glibc systems is conceivable but has not been
examined. Systems that lack ASLR or users of downstream Linux
distributions that have modified OpenSSH to disable per-connection
ASLR re-randomisation (yes - this is a thing, no - we don't
understand why) may potentially have an easier path to exploitation.
We should investigate why that was needed, and if an alternative way of fixing the original bug can be done.
[Test Plan]
We just want to test that when a connection is accepted by sshd, the child process re-execs. There is a log message at the debug level from sshd when this happens.
1. Enable debug-level logging in sshd:
$ echo "LogLevel DEBUG" >> /etc/ssh/
2. Watch the logs:
$ journalctl -t sshd -b -f
3. From another host, connect to the test machine:
$ ssh <user>@<test host>
4. On the test machine, among other messages, there should be a message noting the start of the re-exec, e.g.:
sshd[2212]: debug1: rexec start in 6 out 6 newsock 6 pipe 8 sock 9
[Where problems could occur]
Through the iterations of d/p/systemd-
However, as was the case with previous bugs in this area, problems would most likely be related to incorrectly closing, or not closing, socket fds in sshd.
[1] https:/
[2] https:/
Related branches
- Marc Deslauriers (community): Approve
-
Diff: 231 lines (+49/-46)2 files modifieddebian/changelog (+13/-0)
debian/patches/systemd-socket-activation.patch (+36/-46)
tags: | added: rls-oo-incoming |
Changed in openssh (Ubuntu): | |
status: | New → Confirmed |
summary: |
- Investigate ASLR being disabled for children + Investigate ASLR re-randomization being disabled for children |
Changed in openssh (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in openssh (Ubuntu Noble): | |
importance: | Undecided → Medium |
tags: | removed: foundations-todo |
description: | updated |
Changed in openssh (Ubuntu Noble): | |
status: | New → In Progress |
Subscribing Nick, who appears to be the original delta author.